| ansible server prepping | Ansible Vault | arm k8s on prem | backup server - Part IV | backup solution | Cluster on a Pi | debian server setup | DNS on Ubuntu ARM | Docker Hub | Docker Swarm | downgrade k3s | GEO-blocking | HomeBrew | How to backup | install Docker Swarm | k3s | k3s cluster setup | k3s HA | K8s Dashboard | K8s Load Balancer | kube-vip | KVM-hypervisor | Mail setup on Pi | MetalLB | Mosquitto brocker on Swarm | Mosquitto container deployment | New Pi setup | new server setup | NFS-Share (shared storage) | Nginx reverse proxy | OPNsense ProtonVPN setup | Persisten Volume - Pi K8s | Portainer (Swarm) | Rancher HA on K3s | Raspbian 64bit | rclone backup - part 2 | Rclone continued III | Rclone GUI | rclone - part 1 | RPi backup solution | ssh-copy-id | SSH key exchange | ssh-keygen | sudo with no password | Swarm commands | sysadmin purpose | sysadmin skills | tmux | Traefik + cert-manager | Traefik + Consul + ssl/tls Letsencrypt | Traefik - oAuth and Letsencrypt | ubuntu webserver | upgrade k3s | Wazuh single node Swarm | webserver setup | what is a sysadmin

The Hotel Hero

Notes by a Sysadmin

Cluster | Philosophy | Stack

Ansible Vault

 July 22, 2021 | Cluster

Often times it comes in handy to encrypt data, that are used for automation. Sensitive data like passwords and other credidentials for infrastructure should be handled with a certain amount of precaution.

Ansible Vault

Ansible vault is an encrypted storage to Ansible, even though it is also possible to intergrate Ansible with different kinds of password managers as ex. "pass" and others.

So, lets say you have a couple of passwords that you need to use form time to time. You could make a file like "my_secrets.enc":

pass_server1: SuperSecretPassword1
pass_server2: SuperSecretPassword2

Then you will encrypt the file:

ansible-vault encrypt my_secrets.enc

After encryption the file would look something like this:

$ANSIBLE_VAULT;1.1;AES256
33376131653438353365663139303837343463316334636138396234313032653362343061313231
6233333430653466656361666462613865313435633830390a356232623933646466663966346433
34396636643631623136643464356332366330646632653263356333356266653462313930383534
6535333030313061350a383863623734353733316431336630303463613130663033306138336534
32396635323561653432373634306561373630363464383132343333626139646261303336383335
32323738653863626230626437306533386365373162623038636332626237363032393666366136
303065336236393536336431363265323738

Now, when running your playbook, you have to point (-e) to you new encrypted file with your passwords. In the following example the my_secrets.enc is located in a directory called "vault" (but, it can be created anywhere):

ansible-playbook -e @vault/my_secrets.enc --ask-vault-pass playbooks/my_playbook.yaml

Alternatively you can also create a new encrypted vault file with the create command:

ansible-vault create --vault-id @prompt secret.yml

Edit the secret file

You can either decrypt edit and encrypt, or you could use Ansible vault edit command:

# This will open Vim and make the file ready for editing.
ansible-vault edit my_secrets.enc

# or you could decrypt the file, and then edit it with another editor
ansible-vault decrypt my_secrets.enc

# and remember to encrypt it afterwards
ansible-vault encrypt my_secrets.enc

Search

About

I'm a Sysadmin, network manager and cyber security entusiast. The main purpose of this public "notebook" is for referencing repetitive tasks, but it might as well come in handy to others. Windows can not be supported! But all other OS compliant with the POSIX-standard can (with minor adjustments) apply the configs on the site. It is Mac OSX, RHEL and all the Fedora based distros and Debian based (several 100's of OS's), all the BSD distros, Solaris, AIX and HP-UX.

Links